I tried a couple of tests to see if we could replicate what @rikvduijn discovered.

In the first test, we printed out two selfie photos — one color and one black and white — taken with my iPhone X's 7-megapixel front-facing camera.

I then placed the photos on the a table, held them up against a wall, and even had several colleagues hold them up over their faces to see if the OnePlus 6 would be fooled.

A regular print didn't work.

Image: raymond wong/mashable

Nothing happened. The OnePlus 6 remained locked (a good thing!) no matter how we positioned the photos and phones. It just refused to be tricked by a flat 2D image.

Of course, the print wasn't scaled to life-size proportions, so I took the same photo, enlarged it, cropped it to just the face, and then cut it out just like in the Twitter user's video.

Here's what I learned.

For the most part, the OnePlus 6 isn't easily fooled by a printout of a registered face. Placed on a table, on a wall, and in front of a person's face, the OnePlus 6's face unlock feature doesn't work. Too many unsuccessful tries will de-activate the face unlock feature and force the phone to require your passcode, just like the iPhone X's Face ID.

However!

I ran a slightly different test and the results were the complete opposite. In this second test, I made sure to unlock the OnePlus 6 with my registered face first, and then immediately placed it in front of a friend holding my face printout... and the phone unlocked.

Four out of five times, it worked perfectly. It sometimes took a few tries — moving around to hide light reflections or shadows, or bending the photo — but whenever I unlocked the phone first with my face and then moved it to the paper printout, it almost always worked.

This worked with the color version of my face, but not the black and white.

(In the above video, the OnePlus 6 unlocks for my colleague Brian who's got a print of my face in front of him. Not shown in the video: Me unlocking the phone with my face just seconds before.)

These two tests suggests the phone's face unlock is generally unfoolable. For example, if someone has your OnePlus 6 and then prints a photo of your face, it's unlikely they'll be able to unlock the phone.

But, if you're right next to the phone and someone else has a printout of your face, and tries it again after you've just unlocked it, then all your data is belong to them. But really, how likely is that scenario?

Test No. 2 suggests there might be a very short timeframe on the OnePlus 6 where the phone's face unlock either caches your real face (based on the "100 identifiers" the software uses to detect a face) slightly weakening the security when it's quickly shown a paper printout. Basically, the phone just saw your face a second ago, so therefore it thinks a printout, which looks just like your face must still be the real you.

Of course, this is just a hypothesis based on the multiple successful attempts we did with method No. 2 and the multiple failed trials with method No. 1.

I also asked @rikvduijn his testing methodology, and although I wasn't able to get the same results, he says he was able to bypass the face unlock with a printed face held in the air.

We've reached out to OnePlus to see if they can provide a more detailed explanation on what's actually happening and will update this story if they respond.

"Some tricks that made it easier for me: Curve the photo and unlock and lock the phone repeatedly (by clicking the power button)," @rikvdjuijn told me over Twitter DM.

Who's gonna waste their time printing your face out? LOL

Image: Brian wong/mashable

The fact that the OnePlus 6's face unlock can be fooled by a picture shouldn't surprise you.

With the exception of the iPhone X, which uses a TrueDepth camera system of sensors and the Galaxy S8/S9's iris scanner, most Android phones' face-unlock systems are designed for convenience first and security second.

In fact, OnePlus explicitly says this.

In statement to Mashable, OnePlus says:

"We designed Face Unlock around convenience, and while we took corresponding measures to optimize its security we always recommended you use a password/PIN/fingerprint for security. For this reason, Face Unlock is not enabled for any secure apps such as banking or payments. We’re constantly working to improve all of our technology, including Face Unlock."

In other words, this isn't a new concern.

When Samsung's Galaxy S8 launched, a video quickly circulated showing how a selfie displayed on another phone could unlock the device. It sounded the alarms for a hot second and then it passed.

While it was indeed possible to trick the S8's face unlock feature with a selfie, the likelihood of that happening was extremely low.

Same goes for the OnePlus 6. Yes, the face unlock feature can, in some cases, be easily bypassed. But that's because the phone uses 2D-based facial recognition as opposed to the iPhone X's 3D-based face detection or the iris scanner (separate from the face unlock) on the Galaxy S8 and S9.

2D-based facial recognition has been and still is not very secure. That's why these phones usually also have a fingerprint sensor as a backup.

If you're worried about your OnePlus 6's face unlock being fooled by a printed photo of your face, you really shouldn't. The hoops someone would have to jump through to do that probably isn't worth the worry, unless you're somebody super famous or important. In that case, you should turn the face unlock off and use a fingerprint reader or passcode. Or get an iPhone X.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.